In September 2020, ABC News reported that a German woman in critical condition died because this major hospital wasn’t able to be admit her through the emergency room due to a ransomware attack. The attack disrupted the IT systems at Duesseldorf University Clinic (DUC), preventing clinicians from accessing data crucial to admissions. This forced them to send ER patients to another hospital, 20 miles away. By the time this patient reached the secondary hospital, it was too late. Doctors ran out of time to perform the surgery she needed to stay alive.
Think about that for a second.
Doctors could have performed the surgery without computers, but the risk of complications inherent in that approach were deigned greater than the risk of postponing until she could be moved to another facility.
This wasn’t a robot-assisted surgery. But that’s how much healthcare providers rely upon computer systems. We are in the digital age and for hospitals, information technology is not simply an additive that helps with administrative tasks. It is integrated into the delivery of care.
That integration means data access can truly be a matter of life or death.
Across the world, ransomware attacks have increased in frequency and severity. And yet, most hospitals adopt cybersecurity postures that focus more on how to keep data from getting out to unauthorized users rather than how to keep data available to authorized users. This must change. Hospitals must adjust their cybersecurity programs to better consider ransomware attacks. There are two key principles that hospital CISOs should adopt when considering ransomware vulnerability: managing vectors and preparing for recovery. ▾
Healthcare IT Security: Managing Vectors
More devices than ever connect into a hospital’s network. With the blossoming the Internet of Medical Things, even basic equipment, such as an IV Pump, need network access. The telehealth explosion due to COVID-19 simply added to the list. Even as in-person patient volumes slowly return to normal, the need for remote patient, providers, and support staff services will continue to grow.
Keeping tabs on what has network access and where they are connecting, is critical for security professionals. Data Loss Prevention, discovery and dependency mapping and Security Information & Event Management (SIEM) tools are often used to monitor access. The important thing to remember is that it’s not just about safeguarding access to your sensitive data. Even if role-based access controls and encryption are in place, a ransomware attack will be effective if it’s able to prevent you from getting to that data. For example, a piece of malware that prevents a server from booting up is just as effective as one that can pull down the data.
In addition to tracking where devices are going on the network, it’s important to actively manage the risk of each vector. Rigorous patching schedules, especially for medical devices that historically have had heightened security vulnerabilities, can ensure lessons learned by manufacturers are addressed on your instances. Logical network segmentation and even micro segmentation can help keep devices from having access to vulnerable areas in the first place.
Healthcare IT Security: Preparing for Recovery
Unlike a server failure or power loss, the true extent of malware attack damage may not be readily apparent. As such, recovery strategies in a Business Continuity and Disaster Recovery plan (BC/DR) become more complex. Incident response plans must address how to detect further threats once an initial breach is identified and quickly analyze activity on how the compromise happened, if there is persistence in the environment and containment. Communication becomes critical, because both users and devices that could become new vectors must be addressed. If the malware was introduced via an email link, for instance, you don’t want other users clicking on that link, exacerbating the issue.
Simulations and tabletop exercises allow security, IT and operational staff to practice security incidents to ensure the right steps are followed. In a real attack, things happen rapidly. Ransomware is constantly evolving, which means response plans need to cover a wider range of scenarios. These can be captured in a simple checklist or for more mature organizations, within a Security Orchestration and Automation Response (SOAR) solution. Regardless, adopting continuous improvement plans and frequent exercises based on risk will help identify gaps.
As Advizex has seen within our own customer base, recovery from ransomware presents unique challenges, because it and other malware may lie undetected for a while, increasing their spread. During this period, back-ups can be infected. There are vault technologies and back-up processes that help combat this, but again, ransomware is constantly evolving. Recovery methods have to take into account the potential that back-ups also become infected. This means maintaining enough back-ups with sufficient intervals to get to a version of data that isn’t infected and leveraging tools that can scan back-ups for malware before they’re used to recover.
Healthcare IT Security: Staying Ahead
Hospital data availability can be a matter of life and death, as we’ve already seen. But the predominant focus of most hospital security programs is keeping data’s confidentiality and integrity safeguarded. Protecting against data availability loss requires additional attention to different and growing vectors of infection as well as robust incident response, Business Continuity and Disaster Recovery (BC/DR) strategies that adapt as ransomware adapts.
We can help. ▪